[CCIE那点事]原创:第一集:手把手交你配置VPN之L2L站点到站点VPN

来源:本站原创 CISCO 超过2,311 views围观 0条评论

实验环境:

前几天到网上逛,发现个好东西,才100多M,不需要像模拟器那样对硬件要求高.

这玩意能完成很多实验了,VPN就是其中一个.话不多说.这玩意叫 cisco packet tracer

硬件 5台2811路由器分别对应现实中的,总公司路由器,分公司VPN路由器.

PC1 PC2由2811来做模拟.

不会用的同学们可以看这个

本文标题:原创:思科Packet Tracer 6.0汉化模拟器及使用说明

本文链接:http://www.jdccie.com/?p=1834转载请注明转自CCIE那点事

拓扑如下 :

clipboard[6]

实验目的:

让总部和南方分公司之间 网段 1.1.1.0/24 与 2.2.2.0/24可以互相访问.

1.1.1.0 网段和2.2.2.0网段 上网时候流量都从自己公司的 internet 线路出去.特别说这点是因为

有各别公司所有的上网流量都让从总部走.原因是什么呢.当然了你要是下个电影神马的就要小心了.

这个拓扑是所有有分公司的,对IT技术有要求的老板首选.掌握这个玩意后,老板再也不用担心你们不会干活了.

题外话题外话,为毛我把分公司标成南方分公司.这是有深意的以后再说.

设计思路:

像这种情况最好是有L2L 了.当然也有人会说EZVPN不是也可以达到这样的效果吗. 当然了都行.一个一个来,不要急.哥一个来满足.

上配置.精简版.不必要的全扔.

总部路由器的VPN配置

hostname hub   配置主机名

!

————–第一阶段配置IKE协商说白了就是配置建立tunnel的信息———-

crypto isakmp policy 10    配置isa策略

encr 3des                 加密模式3des

authentication pre-share  秘钥验证方式

group 2                   这个玩意自己看说明.

!

crypto isakmp key cisco123 address 10.2.2.1  这个太明显了 密码 和 对端VPN的地址

!

————–第二阶段配置加密方式,对流量进行加密———-

crypto ipsec transform-set newset esp-3des esp-md5-hmac     对连接过程进行加密

!

crypto map map1 5 ipsec-isakmp                              配置加密图

set peer 10.2.2.1                                          配置对端VPN IP

set transform-set newset                                   绑定到加密图

match address VPN_BO1                                      进行遂道分离(就是对上网的流量不进行加密)

!

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0          这个自己看..

ip nat outside                             NAT的流量出口.

crypto map map1                            应用加密图(最要)

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON 上条配置完会有这处提示.请注意

!

interface FastEthernet0/1

ip address 1.1.1.1 255.255.255.0           方便连接PC1

ip nat inside                              NAT的流量入口

ip nat inside source list OUT interface FastEthernet0/0 overload    所有ACL OUT流量都走F0/0

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.2

!

!

ip access-list extended VPN_BO1      到南方公司的2.2.2.0的流量不走 NAT.即上网通道.

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

ip access-list extended OUT          NAT调用的ACL

deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255     必须

deny ip host 10.1.1.1 host 10.2.2.1             别看就好.

permit ip any any                   这个别忘了.

!

END.

验证方式

用PC1 ping PC2的地址,激活VPN

pc1>ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/15 ms

pc1>

激前是酱紫的

hub#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

激活后是酱紫

hub#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot          status

10.2.2.1        10.1.1.1        QM_IDLE           1056    0    ACTIVE 注意必段是这样

IPv6 Crypto ISAKMP SA

其它配置我就不做详解了.

南方分公司路由器配置

!

hostname b01

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp key cisco123 address 10.1.1.1

!

!

crypto ipsec transform-set newset esp-3des esp-md5-hmac

!

crypto map map1 5 ipsec-isakmp

set peer 10.1.1.1

set transform-set newset

match address VPN_HUB

interface FastEthernet0/0

ip address 2.2.2.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.2.2.1 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map map1

ip nat inside source list OUT interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.2.2.2

!

!

ip access-list extended VPN_HUB

permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

ip access-list extended OUT

deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

deny ip host 10.2.2.1 host 10.1.1.1

permit ip any any

!

end

验证

b01#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

10.1.1.1        10.2.2.1        QM_IDLE           1055    0 ACTIVE  必须是这样子.

IPv6 Crypto ISAKMP SA

b01#

正常.这是开了debug ip icmp的,请无视

pc2>ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!

ICMP: echo reply rcvd, src 1.1.1.1, dst 2.2.2.2

!

ICMP: echo reply rcvd, src 1.1.1.1, dst 2.2.2.2

!

ICMP: echo reply rcvd, src 1.1.1.1, dst 2.2.2.2

!

ICMP: echo reply rcvd, src 1.1.1.1, dst 2.2.2.2

!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

pc2>

ICMP: echo reply rcvd, src 1.1.1.1, dst 2.2.2.2

排错.当然了,不可能配置第一次就成功了.那尼玛还真怪胎了.所以有了以下教程.

1.配置完后为毛PING不通.

主要情况.

ACL匹配出错.

尼妹的要是IP配错了就直接去跪钉板

VPN未建立完成.

show cry isa sa  后出来这个

hub#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot          status

10.2.2.1        10.1.1.1        QM_IDLE           1056    0    ACTIVE (DELETE)

这个样子看起来很牛B呢.但这说明的抖动或建立未完成.不要以为看到ACTIVE就OK了.早着呢.

不用看了.肯定是配错了

来个debug cry isa吧

——省略号—-

观察后发这个.  New State = IKE_P1_COMPLETE   //第一阶段完成.

然后就没有然后了…

叼了吧,说明第二阶段配置有问题.故障能定位那就自己解决吧.

提供正常状态的过程

正常DEBUG过程  debug crypto isa

ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE     //主模式

ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

ISAKMP:(0): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) MM_SA_SETUP    //UDP 500必须放开

ISAKMP:(0):Sending an IKE IPv4 Packet.

ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

ISAKMP (0:0): received packet from 10.2.2.1 dport 500 sport 500 Global (I) MM_SA_SETUP

ISAKMP:(0):found peer pre-shared key matching 10.2.2.1

ISAKMP (1072): His hash no match – this node outside NAT

ISAKMP:(1072):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP (0:1072): ID payload

next-payload : 8

type         : 1

address      : 10.1.1.1

protocol     : 17

port         : 500

length       : 12

ISAKMP:(1072): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH

ISAKMP (0:1072): ID payload

next-payload : 8

type         : 1

address      : 10.2.2.1

protocol     : 17

port         : 500

length       : 12

ISAKMP:(1072):SA has been authenticated with 10.2.2.1

ISAKMP: Trying to insert a peer 10.1.1.1/10.2.2.1/500/,  and inserted successfully 47CA9F80.

ISAKMP:(1072):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(1072):Old State = IKE_I_MM6  New State = IKE_I_MM6

ISAKMP:(1072):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(1072):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE   //第一阶段完成.

ISAKMP:(1072):beginning Quick Mode exchange, M-ID of 69859174

ISAKMP:(1072):QM Initiator gets spi

ISAKMP:(1072): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) QM_IDLE

ISAKMP:(1072):Sending an IKE IPv4 Packet.

ISAKMP:(1072):Node 69859174, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

ISAKMP:(1072):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

ISAKMP:(1072):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

ISAKMP:(1072):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

ISAKMP (0:1072): received packet from 10.2.2.1 dport 500 sport 500 Global (I) QM_IDLE

ISAKMP:(1072): processing HASH payload. message ID = 69859174

ISAKMP:(1072): processing SA payload. message ID = 69859174

ISAKMP:(1072):Checking IPSec proposal 1

ISAKMP: transform 1, ESP-3DES

ISAKMP:   attributes in transform:

ISAKMP:      encaps is 1 (Tunnel)

ISAKMP:      SA life type in seconds

ISAKMP:      SA life duration (basic) of 3600

ISAKMP:      SA life type in kilobytes

ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

ISAKMP:      group is 5

ISAKMP:      authenticator is HMAC-SHA

ISAKMP:(1072):atts are acceptable.

ISAKMP:(1072): processing NONCE payload. message ID = 69859174

ISAKMP:(1072): processing KE payload. message ID = 69859174

ISAKMP:(1072): processing ID payload. message ID = 69859174

ISAKMP:(1072): processing ID payload. message ID = 69859174

ISAKMP:(1072): Creating IPSec SAs

inbound SA from 10.2.2.1 to 10.1.1.1 (f/i)  0/ 0

(proxy 2.2.2.0 to 1.1.1.0)

has spi ox468F5A25 and conn_id 0

lifetime of 3600 seconds

lifetime of 4608000 kilobytes

outbound SA from 10.1.1.1 to 10.2.2.1 (f/i) 0/0

(proxy 1.1.1.0 to 2.2.2.0)

has spi  0x5CE902D8 and conn_id 0

lifetime of 3600 seconds

lifetime of 4608000 kilobytes

ISAKMP:(1072): sending packet to 10.2.2.1  my_port 500 peer_port 500 (I) QM_IDLE

ISAKMP:(1072):Sending an IKE IPv4 Packet.

ISAKMP:(1072):deleting node 69859174 error FALSE reason “No Error”

ISAKMP:(1072):Node 69859174, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

ISAKMP:(1072):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE   第二阶段完成VPN建立成功.

hub#

 

全套配置及拓扑下载 http://pan.baidu.com/share/link?shareid=521690&uk=4144237329

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文链接:http://www.jdccie.com/?p=1862转载请注明转自CCIE那点事
如果喜欢:点此订阅本站
上篇文章: